This action has a workflow which initiates a Veracode Static Analyis Pipeline Scan and takes the Veracode pipeline scan JSON result file as an input and transforms it to a SARIF format.

Add the -jo true to your Pipeline Scan command to generate the JSON result file. See details for the other pipeline scan attributes.

If your GitHub account allows code scanning alerts, you can then upload the sarif file to show the scan findings.

Run a pipeline scan of your application code within your GitHub development pipeline. The action also converts the scan results to a Static Analysis Results Interchange Format (SARIF) file and imports them as code-scanning alerts. To view the scan results, in your GitHub project, select Security > Code scanning alerts.

To configure this action, edit the settings in the provided /workflows/main.yml file. For example, if you do not want the action to convert the scan results from JSON format to SARIF format and import them into GitHub, you can remove or comment out those settings.

Required The path to the pipeline json result file.

Optional The path to the SARIF format result file.

Optional In some compilations, the path representation is not the same as the repository root folder. In order to add the ability to navigate back from the scanning issue to the file in the repository, a base path to the source is required. The input format is regex base ("[search pattern]:[replace with pattern]").

WARNING
The 'finding-rule-level' input is deprecated and will be removed in a future release.
It will be overwritten witten with 4:3:0
This setting is not needed anymore as GitHub as introduced granular control over the severity of findings
Please find more informarion here: https://github.blog/changelog/2021-07-19-codeql-code-scanning-new-severity-levels-for-security-alerts/#about-security-severity-levels

Optional The conversion rule from Veracode finding levels to Github levels.

• Veracode levels: 5 = Very High, 4 = High, 3 = Medium, 2 = Low, 1 = Very Low, 0 = informational.
• GitHub levels: error, warning, note.

Example values:

• "4:3:0" => High and Very high will show as error, Medium as warning and the rest as note
• "3:2:1" => Medium and above will show as error, Low as warning, Very Low as note, and informational will not show at all

Note: Only error level will fail pull request check

  results_to_sarif:
    needs: pipeline_scan
    runs-on: ubuntu-latest
    name: import pipeline results to sarif
    steps:
      - name: Convert pipeline scan output to SARIF format
        id: convert
        uses: Veracode/[email protected]
        with:
          pipeline-results-json: results.json
          output-results-sarif: veracode-results.sarif
          source-base-path-1: "^com/veracode:src/main/java/com/veracode"
          source-base-path-2: "^WEB-INF:src/main/webapp/WEB-INF"

      - name: upload sarif file to repository
        uses: github/codeql-action/upload-sarif@v2
        with: # Path to SARIF file relative to the root of the repository
          sarif_file: veracode-results.sarif

ncc build src/action.ts